Armadillo shell (known as pangolin protection shell) is a kind of encryption shell, with previous invented ESP law shelling way is unable to complete the work shelling, belong to the limits of fierce shell. Armadillo shell protection, popular terms can be so simple classification understanding: protection system authorization level, process model, program used by protection mode, other Settings. Protection system authorized are rated the standard version, non-standard version, the professional edition, Process model is divided into: single process, double process; Program used by protection mode is divided into: input table disorderly sequence, strategies Nanomites processing program code cohesion, protecting mode; etc. Other Settings can be Key specific and time setting. After aleatoric combination, can form the powerful protection mechanism, various forms and changeable! It will make a lot of "newborn calves" hope tags! Below talk Armadillo protection shell of single and double process of simple off method, make no longer become difficult.

Armadillo 1. Xx - 2. Xx single process of simple off method

1) preparation, collect all information

With PEiD procuratorial shell as "Armadillo 1. Xx - 2 - > Silicon Realms xx Toolworks", in the Armadillo academicmaria V1.4 sinologized edition check Protected protection system, that goal by Armadillo protection, protection system authorization level (standard edition), Program used by protection mode for standards to protect or minimum protection mode; Backup key Settings for fixed backup key, Program compression Settings for minimal/fastest compression method; Other protection Settings for the version number 3.70. This it is the most basic protection Settings. Running target program running it LordPE, check that a single process model, as shown in figure 1 shows. So far, information collecting over!"

Javascript: DCS. DoResizes (at.this volume. 0, null);, Border = 0 >

Figure 1

2) OD positioning

Running OD, loaded object Program czssgold. Exe (in the C: \ \ - Filessmswriter color honour gold edition), Chinese poetry to park here.

004C9B19 > / $55 shall ebp load place

004C9B1A | j 8BEC mov ebp, esp

004C9B1C | j 6A FF shall - 1

004C9B1E |. 68 385A4E00 shall 004E5A38

004C9B23 |. 68 00954C00 shall 004C9500; SE processing program installation

004C9B28 |. 64: A1 0000000 > mov eax and dwords theptr fs: [0]

004C9B2E |. 50 shall eax

004C9B2F |. 64:8925 00000 > mov dwords theptr fs: [0], esp

004C9B36 | j 83EC 58 sub esp, 58

004C9B39 |. 53 shall ebx

004C9B3A | j 56 esi shall

004C9B3B |. 57 shall edi

004C9B3C | j 8965 e8's mov dwords theptr [ebp - 18], esp

004C9B3F | j FF15 4C014E00 call dwords theptr [j KERNEL32 GetVersion > < &; KERNEL32. GetVersion

004C9B45 | j, 33D2 xor edx edx

We usually under GetModuleHandleA breakpoints, I am BP with Ctrl + G, input GetModuleHandleA, point after the confirmation of the program in OD will stop below code place.

7C80B529 > 8BFF mov edi, edi, Stop here